1podman-auto-update(1) General Commands Manual podman-auto-update(1)
2
6 podman-auto-update - Auto update containers according to their auto-up‐
7 date policy
8
11 podman auto-update [options]
12
15 podman auto-update pulls down new container images and restarts con‐
16 tainers configured for auto updates. To make use of auto updates, the
17 container or Kubernetes workloads must run inside a systemd unit. Af‐
18 ter a successful update of an image, the containers using the image get
19 updated by restarting the systemd units they run in. Please refer to
20 quadlet(5) on how to run Podman under systemd.
21 To configure a container for auto updates, it must be created with the
24 io.containers.autoupdate label or the AutoUpdate field in quadlet(5)
25 with one of the following two values:
26 • registry: If the label is present and set to registry, Podman
29 reaches out to the corresponding registry to check if the im‐
30 age has been updated. The label image is an alternative to
31 registry maintained for backwards compatibility. An image is
32 considered updated if the digest in the local storage is dif‐
33 ferent than the one of the remote image. If an image must be
34 updated, Podman pulls it down and restarts the systemd unit
35 executing the container. The registry policy requires a
36 fully-qualified image reference (e.g., quay.io/podman/sta‐
37 ble:latest) to be used to create the container. This enforce‐
38 ment is necessary to know which image to actually check and
39 pull. If an image ID was used, Podman would not know which
40 image to check/pull anymore.
41 • local: If the autoupdate label is set to local, Podman com‐
43 pares the image digest of the container to the one in the lo‐
44 cal container storage. If they differ, the local image is
45 considered to be newer and the systemd unit gets restarted.
46 Auto Updates and Kubernetes YAML
50 Podman supports auto updates for Kubernetes workloads. The auto-update
51 policy can be configured directly via quadlet(5) or inside the Kuber‐
52 netes YAML with the Podman-specific annotations mentioned below:
53 • io.containers.autoupdate: "registry|local" to apply the auto-
56 update policy to all containers
57 • io.containers.autoupdate/$container: "registry|local" to apply
59 the auto-update policy to $container only
60 • io.containers.sdnotify: "conmon|container" to apply the sdno‐
62 tify policy to all containers
63 • io.containers.sdnotify/$container: "conmon|container" to apply
65 the sdnotify policy to $container only
66 By default, the autoupdate policy is set to "disabled", the sdnotify
70 policy is set to "conmon".
71 Systemd Unit and Timer
74 Podman ships with a podman-auto-update.service systemd unit. This unit
75 is triggered daily at midnight by the podman-auto-update.timer systemd
76 timer. The timer can be altered for custom time-based updates if de‐
77 sired. The unit can further be invoked by other systemd units (e.g.,
78 via the dependency tree) or manually via systemctl start podman-auto-
79 update.service.
80
83 --authfile=path
84 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
85 ers/auth.json on Linux, and $HOME/.config/containers/auth.json on Win‐
86 dows/macOS. The file is created by podman login. If the authorization
87 state is not found there, $HOME/.docker/config.json is checked, which
88 is set using docker login.
89 Note: There is also the option to override the default path of the au‐
92 thentication file by setting the REGISTRY_AUTH_FILE environment vari‐
93 able. This can be done with export REGISTRY_AUTH_FILE=path.
94 Alternatively, the io.containers.autoupdate.authfile container label
97 can be configured. In that case, Podman will use the specified label's
98 value instead.
99 --dry-run
102 Check for the availability of new images but do not perform any pull
103 operation or restart any service or container. The UPDATED field indi‐
104 cates the availability of a new image with "pending".
105 --format=format
108 Change the default output format. This can be of a supported type like
109 'json' or a Go template. Valid placeholders for the Go template are
110 listed below:
111 ┌───────────────┬──────────────────────────────┐
114 │Placeholder │ Description │
115 ├───────────────┼──────────────────────────────┤
116 │.Container │ ID and name of the container │
117 ├───────────────┼──────────────────────────────┤
118 │.ContainerID │ ID of the container │
119 ├───────────────┼──────────────────────────────┤
120 │.ContainerName │ Name of the container │
121 ├───────────────┼──────────────────────────────┤
122 │.Image │ Name of the image │
123 ├───────────────┼──────────────────────────────┤
124 │.Policy │ Auto-update policy of the │
125 │ │ container │
126 ├───────────────┼──────────────────────────────┤
127 │.Unit │ Name of the systemd unit │
128 ├───────────────┼──────────────────────────────┤
129 │.Updated │ Update status: │
130 │ │ true,false,failed │
131 └───────────────┴──────────────────────────────┘
132 --rollback
134 If restarting a systemd unit after updating the image has failed, roll‐
135 back to using the previous image and restart the unit another time.
136 Default is true.
137 Note that detecting if a systemd unit has failed is best done by the
140 container sending the READY message via SDNOTIFY. This way, restarting
141 the unit waits until having received the message or a timeout kicked
142 in. Without that, restarting the systemd unit may succeed even if the
143 container has failed shortly after.
144 For a container to send the READY message via SDNOTIFY it must be cre‐
147 ated with the --sdnotify=container option (see podman-run(1)). The ap‐
148 plication running inside the container can then execute systemd-notify
149 --ready when ready or use the sdnotify bindings of the specific pro‐
150 gramming language (e.g., sd_notify(3)).
151 --tls-verify
154 Require HTTPS and verify certificates when contacting registries (de‐
155 fault: true). If explicitly set to true, TLS verification is used. If
156 set to false, TLS verification is not used. If not specified, TLS ver‐
157 ification is used unless the target registry is listed as an insecure
158 registry in containers-registries.conf(5)
159
162 Create a Quadlet file configured for auto updates:
163 $ cat ~/.config/containers/systemd/sleep.container
166 [Container]
167 Image=registry.fedoraproject.org/fedora:latest
168 Exec=sleep infinity
169 AutoUpdate=registry
170 Generate a systemd service from the Quadlet file by reloading the sys‐
174 temd user daemon:
175 $ systemctl --user daemon-reload
178 Start the systemd service and make sure the container is running
182 $ systemctl --user start sleep.service
185 $ podman ps
186 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
187 f8e4759798d4 registry.fedoraproject.org/fedora:latest sleep infinity 2 seconds ago Up 2 seconds systemd-sleep
188 Check if a new image is available via --dry-run:
192 $ podman auto-update --dry-run --format "{{.Image}} {{.Updated}}"
195 registry.fedoraproject.org/fedora:latest pending
196 Update the service:
200 $ podman auto-update
203 UNIT CONTAINER IMAGE POLICY UPDATED
204 sleep.service f8e4759798d4 (systemd-sleep) registry.fedoraproject.org/fedora:latest registry true
205
209 podman(1), podman-generate-systemd(1), podman-run(1), podman-sys‐
210 temd.unit(5), sd_notify(3), systemd.unit(5)
211 podman-auto-update(1)